Cybercriminals continue to show no malice when it comes to dead celebrity spam

At the time of writing it is almost one week since the world learned of the death of Michael Jackson.
The story I will tell the grandchildren of the ‘where were you when you heard' was that I was at the Glastonbury festival when someone asked me if I had ‘heard the news?' While I realise that my tale of a journey back to my tent from the information point is as relevant to SC as stories about refunds for tickets or the life of the man himself, what is interesting is how an information security angle has risen from this incident.
While there is no doubt that death does sell records and merchandise, a glimpse at the footage of tributes across the world or the HMV/Amazon top ten albums will amplify, death and major news also inspires cybercrime.
There have been numerous reports of viruses, scams and spam that refer to the King of Pop, and perhaps this is not especially surprising considering how quickly cybercriminals are able to use a recurrent theme to direct unsuspecting users.
A quick browse around some of the popular security blogs reveals that various scams and malware have already been detected by major vendors. One of the first to identify and report on malicious spam related to Jackson's death was Websense, whose Security Labs ThreatSeeker Network discovered spam emails offering apparent links to unpublished videos and pictures of Jackson.
Although its intention of directing the user to a video on the YouTube website was an unsurprising redirect to a Trojan Downloader on a compromised website, it does show that the scam, identified the morning after the story broke, was incredibly timely.
According to Websense, the file was located on a legitimate website hosted in Australia belonging to a radio broadcasting station. Upon execution of the file, a legitimate website is opened by the default browser in order to distract the user by presenting a news article for them to read.
In the background, three further information-stealing components are downloaded and installed by the malware. One of the downloaded files is called michael.gif, which has low AV detection rates.
Meanwhile a couple of days ago an email worm was detected by Sophos, with senior technology consultant Graham Cluley claiming that the email, which claims to come from sarah@michaeljackson.com, says that the attached ZIP file contains secret songs and photos of Michael Jackson. Again, opening the attachment exposes you to an infection and if your computer is hit you will be spreading the worm onto other internet users.
This malware is also capable of spreading as an Autorun component on USB memory sticks and Sophos detected the malware proactively as Mal/ZipMal-B and Mal/VB-AD.
Cluley claimed that since Jackson's death, there had been ‘an avalanche of spam, scams and malware attacks exploiting interest in the controversial figure'.
“In light of the huge interest in Jackson since his sudden death, there are likely to be many computer users who are tempted into opening the attachment. Long time followers of the computer security scene will be aware that although there has been much cybercriminal activity following Michael Jackson's death, he was not immune from having his name exploited by hackers when he was alive either,” said Cluley.
Just a few hours after the news broke, McAfee Avert labs' researcher Guilherme Venere wrote in a blog: “Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it. The most common attack vector is email. Watch out for spam offering links to ‘news' or ‘pictures' of deceased celebrities.
“But another way to attract visitors looking for news is a technique known as search engine optimisation (SEO). Blackhats use SEO to inflate search engine results in an attempt to put their results on top of the list and drive more users to fake websites offering ‘more information' about the current trendy news. When the users click on the fake links, they are susceptible to any kind of attack, spyware or malware installation, or information theft.”
In agreement was Randy Abrams, director of technical education at ESET, who said: “If you receive an email about Michael Jackson simply delete it unless you know the sender and you verify (call, email or chat) the sender actually did send it to you.
“If you receive an IM about Michael Jackson and it has a link, ignore the link. Don't click on it. If you want to find real news about Michael Jackson then go to a real news site. Don't fall for the hoaxes in email, Instant Messenger (chat), tweets on Twitter, or other social networking sites.”
Much like when spammers sent out malware relating to the death of actress Natasha Richardson or used the swine flu headlines to intercept search engine results, this story has once again proved that subject-related malware often arrives only a matter of hours after a major news story breaks.
However on a slightly more positive note, Symantec's Samir Patil claimed that there is a decided lack of spam related to the annual Independence Day holiday in the US this Saturday, due to the Jackson story still dominating the headlines.
However web users were still warned to be cautious despite a decided lack of effort on the spam side. Patil said: “The subject lines for these spam messages seem legitimate and are often the subject lines used in valid promotional emails. So, users need to take extra care while opening any email with this type of subject line/content.
“Because Independence Day is still a few days away, we expect that spammers might continue pushing such fake-but-catchy offers into users' inboxes.”

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.